🚨 [security] Update snyk 1.707.0 → 1.1301.0 (minor)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ snyk (1.707.0 → 1.1301.0) · Repo

Security Advisories 🚨

🚨 Snyk CLI Insertion of Sensitive Information into Log File allowed in DEBUG or DEBUG/TRACE mode

Versions of the package snyk before 1.1297.3 are vulnerable to Insertion of Sensitive Information into Log File through local Snyk CLI debug logs. Container Registry credentials provided via environment variables or command line arguments can be exposed when executing Snyk CLI in DEBUG or DEBUG/TRACE mode.

The issue affects the following Snyk commands:

1. When snyk container test or snyk container monitor commands are run against a container registry, with debug mode enabled, the container registry credentials may be written into the local Snyk CLI debug log. This only happens with credentials specified in environment variables (SNYK_REGISTRY_USERNAME and SNYK_REGISTRY_PASSWORD), or in the CLI (--password/-p and --username/-u).

2. When snyk auth command is executed with debug mode enabled AND the log level is set to TRACE, the Snyk access / refresh credential tokens used to connect the CLI to Snyk may be written into the local CLI debug logs.

3. When snyk iac test is executed with a Remote IAC Custom rules bundle, debug mode enabled, AND the log level is set to TRACE, the docker registry token may be written into the local CLI debug logs.

🚨 snyk Code Injection vulnerability

The package snyk before 1.1064.0 is vulnerable to Code Injection when analyzing a project. An attacker who can convince a user to scan a malicious project can include commands in a build file such as build.gradle or gradle-wrapper.jar, which will be executed with the privileges of the application. This vulnerability may be triggered when running the the CLI tool directly, or when running a scan with one of the IDE plugins that invoke the Snyk CLI. Successful exploitation of this issue would likely require some level of social engineering - to coerce an untrusted project to be downloaded and analyzed via the Snyk CLI or opened in an IDE where a Snyk IDE plugin is installed and enabled. Additionally, if the IDE has a Trust feature then the target folder must be marked as ‘trusted’ in order to be vulnerable.

NOTE: This issue is independent of the one reported in CVE-2022-40764, and upgrading to a fixed version for this addresses that issue as well.

The affected IDE plugins and versions are:

• VS Code - Affected: <=1.8.0, Fixed: 1.9.0
• IntelliJ - Affected: <=2.4.47, Fixed: 2.4.48
• Visual Studio - Affected: <=1.1.30, Fixed: 1.1.31
• Eclipse - Affected: <=v20221115.132308, Fixed: All subsequent versions
• Language Server - Affected: <=v20221109.114426, Fixed: All subsequent versions

🚨 Snyk plugins vulnerable to Command Injection

The package snyk before 1.1064.0; the package snyk-mvn-plugin before 2.31.3; the package snyk-gradle-plugin before 3.24.5; the package @snyk/snyk-cocoapods-plugin before 2.5.3; the package snyk-sbt-plugin before 2.16.2; the package snyk-python-plugin before 1.24.2; the package snyk-docker-plugin before 5.6.5; the package @snyk/snyk-hex-plugin before 1.1.6 are vulnerable to Command Injection due to an incomplete fix for CVE-2022-40764. A successful exploit allows attackers to run arbitrary commands on the host system where the Snyk CLI is installed by passing in crafted command line flags. In order to exploit this vulnerability, a user would have to execute the snyk test command on untrusted files. In most cases, an attacker positioned to control the command line arguments to the Snyk CLI would already be positioned to execute arbitrary commands. However, this could be abused in specific scenarios, such as continuous integration pipelines, where developers can control the arguments passed to the Snyk CLI to leverage this component as part of a wider attack against an integration/build pipeline. This issue has been addressed in the latest Snyk Docker images available at https://hub.docker.com/r/snyk/snyk as of 2022-11-29. Images downloaded and built prior to that date should be updated. The issue has also been addressed in the Snyk TeamCity CI/CD plugin as of version v20221130.093605.

🚨 Snyk CLI affected by Command Injection vulnerability

Snyk CLI before 1.996.0 allows arbitrary command execution, affecting Snyk IDE plugins and the snyk npm package. Exploitation could follow from the common practice of viewing untrusted files in the Visual Studio Code editor, for example. The original demonstration was with shell metacharacters in the vendor.json ignore field, affecting snyk-go-plugin before 1.19.1. This affects, for example, the Snyk TeamCity plugin (which does not update automatically) before 20220930.142957.

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by 63 commits:

• Merge pull request #6322 from snyk/chore/cherry-pick-fixes-for-rc-1.1301.0
• chore: automatic integration of language server c23fd4ea5f4e025ea40a999f112962072d617bee
• chore: upgrade os extensions to allow nil actions on the fix
• chore: automatic integration of language server 2cc554ec87f0f1b1f8005db11e416f38cc2d3072
• docs: synchronizing help from snyk/user-docs
• chore: improve ufm sarif rendering including ignores
• Merge pull request #6300 from snyk/tmp/1762956787-release-candidate
• docs: update release notes
• Merge pull request #6299 from snyk/fix/golang_1.24.10
• fix(dependencies): Upgrade golang to 1.24.10 to fix vulnerabilities
• Merge pull request #6296 from snyk/feat(test)/new-extension-table-tests
• chore: add table tests for new extension workflow
• Merge pull request #6297 from snyk/fix/upgrade-snyk-mvn-plugin-to-4_3_3
• fix: Adjust maven command invocation on aggregate projects
• Merge pull request #6295 from snyk/chore/CLI-1250_optimize_ufm_presenter
• chore: optimize UFM SARIF presenter
• Merge pull request #6292 from snyk/fix/CN-436-go-binaries-not-scanned-on-windows
• fix: CN-436 go binaries not scanned on windows
• Merge pull request #6290 from snyk/chore/upgrade-dep-graph-extension
• chore: upgrade dep graph extension
• Merge pull request #6294 from snyk/fix/CLI-1249_ufm_exitcode
• fix: ufm exit code handling
• Merge pull request #6091 from snyk/chore/CLI-859_build_npm_helper
• chore: add a simple helper script to locally build the npm package
• Merge pull request #6293 from snyk/docs/automatic-gitbook-update-cli-help-main
• docs: synchronizing help from snyk/user-docs
• Merge pull request #6291 from snyk/chore/CLI-1212_improve_sarif
• chore: update ufm sarif rendering
• Merge pull request #6265 from snyk/chore/CLI-deploy-scoop-on-release
• refactor: catch failure on distribution channels
• refactor: introduce reuse
• chore(ci): deploy homebrew and scoop on release [CLI-1196]
• Merge pull request #6289 from snyk/fix/ramdisk_permission_error
• fix(cicd): remove ramdisk usage
• Merge pull request #6287 from snyk/feat/add-pre-parse-rules
• feat: add pre parse rules to the cliv2
• Merge pull request #6278 from snyk/test/snyk-test-reachability
• test: adding snyk test reachability acceptance test
• Merge pull request #6286 from snyk/chore/bump-os-flows-ext
• chore: bump os flows extension [OSF-122]
• Merge pull request #6284 from snyk/chore/CLI-1212_discrepancies
• fix: ufm sarif differences
• Merge pull request #6281 from snyk/chore/document-local-testing
• chore: document steps for testing with local deps
• Merge pull request #6283 from snyk/chore/update-ls
• chore: update ls
• Merge pull request #6279 from snyk/feat/update-dep-graph-extension
• chore: update dep graph extension
• Merge pull request #6277 from snyk/feat/CLI-1212_ufm_sarif
• chore: enable ufm renderer
• Merge pull request #6275 from snyk/chore/update-gaf-to-663fef5db9c1b83f7611bef0f7b8d9964c24ddc5
• chore: update gaf to 663fef5db9c1
• Merge pull request #6272 from snyk/feat/OSF-187-pruned-dep-graphs
• feat: add a CLI option to print effective dep graphs
• Merge pull request #6274 from snyk/chore/update-gaf-to-1714cd441fa830a2624742315004da3298579d6a
• chore: update gaf to 1714cd441fa830a2624742315004da3298579d6a
• Merge pull request #6266 from snyk/chore/upgrade-os-extension
• chore: upgrade os extensions to support for ignore-policy flag
• Merge pull request #6270 from snyk/fix/release-node-lockfile-parser-2-4-2
• fix: nodejs-lockfile-parser to 2.4.2
• Merge pull request #6269 from snyk/chore/sync-main-1.1300.2
• Merge branch 'release-candidate' into chore/sync-main-1.1300.2
• Merge pull request #6268 from snyk/release/1.1300

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)